[M-01] A lot with a lots.sdAmount less than the bidIncrement cannot be bid on
Impact
Everyone can create a lot by calling Auction.createLot() with any arbitrary amount they specify. However, creating a lot with a low sdAmount can result in two potential issues:
When someone create a lot with an sdAmount that worth less or equal to 5e15 ETH, and the first bid is in place, the next bid will have to be 5e15 ETH or more than the first bid due to this check:
if (totalUserBid < lotItem.highestBidAmount + bidIncrement) revert InSufficientBid();
This, it may prevent other users from bidding (most users that bid on auctions aims gain not loos)
Creating Lots with low sdAmount will limit the participation because bidders may not engage with lots that have a low sdAmount, especialy on the ethereum network due to high gas fees.
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L71
Vulnerability details
[M-01] A lot with a
lots.sdAmount
less than thebidIncrement
cannot be bid onImpact
Everyone can create a lot by calling
Auction.createLot()
with any arbitrary amount they specify. However, creating a lot with a lowsdAmount
can result in two potential issues:sdAmount
that worth less or equal to 5e15 ETH, and the first bid is in place, the next bid will have to be 5e15 ETH or more than the first bid due to this check:This, it may prevent other users from bidding (most users that bid on auctions aims gain not loos)
sdAmount
will limit the participation because bidders may not engage with lots that have a lowsdAmount
, especialy on the ethereum network due to high gas fees.Proof of Concept
Tools
Manual Review
Recommended Mitigation Steps
We recommend prevent creating a lot with dust amount that is less than the
bidIncrement
.Assessed type
Invalid Validation